A new variant of Mallox ransomware, also known as “Target company” ransomware, has been discovered. This variant takes a unique approach to encrypting files and launching a ransomware attack by appending the name of the targeted company as a file extension.
The threat actor behind Mallox ransomware distributes the ransomware through a downloader that is attached to spam emails. The target of these attacks is unsecured internet-facing Microsoft SQL servers.
When a machine is compromised by Mallox ransomware, it encrypts files and adds a “.mallox” extension to them. The ransomware primarily targets industries such as Manufacturing, Energy & Utilities sectors, IT & ITES, and Professional Services.
The attack vector of Mallox ransomware involves a malicious attachment in phishing emails. This attachment can either be an executable file that downloads Bat Loader from a remote server or it may directly contain the loader itself. Unlike previous variants, this new variant does not require a downloader to retrieve the ransomware payload.
Instead, the ransomware payload is contained within a batch script, which is injected into “MSBuild.exe” without being saved on the disk. When the user clicks on the attachment, the batch script executes commands by combining various variables defined in random sequences.
One of the key features of this variant is the use of Base64 encoded content to extract the ransomware payload from the Bat Loader. The PowerShell script scans the initial Bat Loader and identifies lines with the substring “ck”. It then appends the substring following “ck” to an object.
The PowerShell script also drops a batch script named “killerrr.bat” in the %TEMP% directory. This script is capable of performing various operations, including killing processes, stopping services, disabling services, deleting services, and removing directories.
Finally, the ransomware binary is injected into MSBuild.exe through the PowerShell script. The ransomware notes are then displayed, providing contact information and the ransom demand to decrypt the files.
Mallox ransomware has been found to have targeted over 20 victims from 15 countries, with India being the most targeted nation, followed by the United States. To prevent data breaches caused by ransomware attacks, experts recommend conducting regular backups, keeping devices updated, using reputable anti-virus software, and refraining from opening untrusted links and email attachments.
Indicators of Compromise (IOCs) for this variant of Mallox ransomware include MD5, SHA1, and SHA256 values associated with the Bat Loader and the killerrr.bat script.
In conclusion, a new variant of Mallox ransomware has emerged, utilizing a unique method of appending the targeted company’s name as a file extension. The ransomware is distributed through spam emails and primarily targets unsecured Microsoft SQL servers. It uses a batch script injected into MSBuild.exe to carry out the attack and displays ransomware notes with contact information and a ransom demand. It is important for individuals and businesses to take preventative measures to protect against ransomware attacks.